Request SSL Certificate from Microsoft CA with Certreq

Steps to request SSL Certificate from Microsoft CA with Certreq

1. Prepare an INF file and save it as C:\temp\RequestConfig.inf

• Subject – Replace it with CN=FQDN
• Private Key is exportable
• Certificate = WebServer
• Include the additional SAN name under 2.5.29.17 = "{text}" ; SAN – Subject Alternative Name

[NewRequest] 
Subject = "CN=lan-win2019.lab.aventislab.info" 
Exportable = TRUE; TRUE = Private key is exportable
KeyLength = 2048 
KeySpec = 1; Key Exchange – Required for encryption
KeyUsage = 0xA0; Digital Signature, Key Encipherment
MachineKeySet = TRUE 
[RequestAttributes]
CertificateTemplate="WebServer" ;Certificate Template
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
2.5.29.17 = "{text}" ; SAN - Subject Alternative Name
_continue_ = "dns=lab-win2019.lab.aventislab.info&"  
_continue_ = "dns=lab-ad01.lab.aventislab.info&"
_continue_ = "dns=wifi.lab.aventislab.info&"

2. Generate a Certificate Request file (.req) with the INF file and save as C:\Temp\CertRequest.req

C:\Temp>certreq -new C:\temp\RequestConfig.inf c:\temp\CertRequest.req
Active Directory Enrollment Policy
  {17C685B4-17D8-4A8A-9720-20FFBFA13C6D}
  ldap:

CertReq: Request Created

3. Submit the CertRequest.req to Internal CA Server to generate UAT.cer

PS C:\temp> certreq.exe -submit CertRequest.req UAT.cer
Active Directory Enrollment Policy
  {875D5759-8FF7-406C-84A8-D93C4C3753B3}
  ldap:
RequestId: 40
RequestId: "40"
Certificate retrieved(Issued) Issued

Click OK

4. Import UAT.cer to Local Computer

PS C:\temp> Import-Certificate -FilePath UAT.cer -CertStoreLocation cert:\LocalMachine\MY

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\MY

Thumbprint                                Subject
----------                                -------
EE933AFAB3F3FA82D223696BD2535B6B7306B7CA  CN=AVENTIS-MGMT.lab.aventislab.com

5. Export the Certificate to C:\Temp\UAT.pfx

$Password = ConvertTo-SecureString -String "P@ssw0rd" -Force -AsPlainText
Get-ChildItem -Path cert:\localMachine\my\EE933AFAB3F3FA82D223696BD2535B6B7306B7CA | Export-PfxCertificate -FilePath C:\Temp\UAT.pfx -Password $Password

6. Transfer the UAT.pfx file to another machine and import it with

$Password = ConvertTo-SecureString -String "P@ssw0rd" -Force -AsPlainText
Import-PfxCertificate -FilePath C:\Temp\UAT.pfx -Password $Password -CertStoreLocation cert:\LocalMachine\my